Commit Graph

104 Commits

Author SHA1 Message Date
Aleksa Sarai a15d2c3ca0
merge branch 'pr-2073'
Odin Ugedal (7):
  Run verify-dependencies only on go1.x
  Don't add git utils to go.mod in CI
  Remove refrences to vndr
  Make CI script to verify that vendor is in sync
  Fix file permissions for mounts.bats
  Update spec test to use go.mod
  Add support for GO Modules

LGTMs: @hqhq @AkihiroSuda @cyphar
Closes #2073
2020-03-16 12:38:40 +11:00
Kir Kolyshkin 89c108b1be Makefile: add selinux and apparmor build tags
Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.

This should not change anything in case BUILDTAGS is already set.

README.md is amended to clarify what BUILDTAGS are enabled by
default.

[v2: add apparmor]
[v3: add it unconditionally, fix README]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-15 10:29:35 -07:00
Odin Ugedal 777f97d8de
Run verify-dependencies only on go1.x
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 10:46:34 +01:00
Odin Ugedal a08ab87fe9
Make CI script to verify that vendor is in sync
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Kenta Tada af3a81e48e Add rootless testpath in Makefile
This commit modifies Makefile for rootless test to select testpath.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-03-06 17:02:33 +09:00
Akihiro Suda 48b055c40a Makefile: allow overriding `docker` command
e.g. `make CONTAINER_ENGINE="sudo podman" unittest` (for ease of cgroup2 testing)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-03 23:59:14 +09:00
James Peach 13919f5dfd Remove the static_build build tag.
The `static_build` build tag was introduced in e9944d0f
to remove build warnings related to systemd cgroup driver
dependencies. Since then, those dependencies have changed and
building the systemd cgroup driver no longer imports dlopen.

After this change, runc builds will always include the systemd
cgroup driver.

This fixes #2008.

Signed-off-by: James Peach <jpeach@apache.org>
2019-10-26 08:28:45 +11:00
Julien Durillon 6770c8695a Allow to define `COMMIT` by env
Some package managers download the archive instead of cloning the git repo.
When they do that, the call to git fails.

This commit allows package managers to provide the COMMIT value via environment.

Signed-off-by: Julien Durillon <julien.durillon@clever-cloud.com>
2019-06-11 13:41:20 +02:00
Kir Kolyshkin 1e0d04c642 Makefile: rm cgo tag
There is no need to explicitly add `cgo` build tag, it is set by
by go tools if cgo is enabled.

Fixes: ecd6463101

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-11-01 17:01:12 -07:00
Kir Kolyshkin 6a2c155968 libcontainer: ability to compile without kmem
Commit fe898e7862 (PR #1350) enables kernel memory accounting
for all cgroups created by libcontainer -- even if kmem limit is
not configured.

Kernel memory accounting is known to be broken in some kernels,
specifically the ones from RHEL7 (including RHEL 7.5). Those
kernels do not support kernel memory reclaim, and are prone to
oopses. Unconditionally enabling kmem acct on such kernels lead
to bugs, such as

* https://github.com/opencontainers/runc/issues/1725
* https://github.com/kubernetes/kubernetes/issues/61937
* https://github.com/moby/moby/issues/29638

This commit gives a way to compile runc without kernel memory setting
support. To do so, use something like

	make BUILDTAGS="seccomp nokmem"

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-10-31 20:35:51 -07:00
Kenta Tada b399167f2c Add docker proxy settings for make test in a proxy environment
This commit modifies Makefile to execute `make test` in a proxy environment.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2018-08-22 18:19:48 +09:00
Kenta Tada b681b58e8a Fix the problem TESTFLAGS is not to be used in Makefile correctly
This commit modifies Makefile to handle test targets correctly.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2018-07-11 17:50:47 +09:00
Kir Kolyshkin 7fb79f318d Add osusergo flag to static build
This should fix the following (very legitimate) warnings on static
build:

> /tmp/go-link-818454663/000019.o: In function `mygetgrouplist':
> /usr/lib/go-1.10/src/os/user/getgrouplist_unix.go:15: warning: Using
> 'getgrouplist' in statically linked applications requires at runtime the
> shared libraries from the glibc version used for linking
>
> /tmp/go-link-818454663/000018.o: In function `mygetgrgid_r':
> /usr/lib/go-1.10/src/os/user/cgo_lookup_unix.go:38: warning: Using
> 'getgrgid_r' in statically linked applications requires at runtime the
> shared libraries from the glibc version used for linking
>
> ...

as well as segfaults in the resulting binary.

For more details, check https://github.com/golang/go/issues/23265

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-07-02 13:43:21 -07:00
Akihiro Suda 39f679c450 travis: test cross compilation
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-06-16 09:32:39 +09:00
Andrei Vagin 74e961e2e2 tests: allow to load kernel modules from a test container
CRIU needs to load a few modules to checkpoint/resume containers.

https://github.com/opencontainers/runc/issues/1745
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
2018-03-13 01:20:12 +03:00
Daniel, Dao Quang Minh aada2af1b2
Merge pull request #1748 from cyphar/makefile-release
makefile: make "release" PHONY
2018-02-28 15:43:01 +00:00
Aleksa Sarai 8d7b5731e5
makefile: make "release" PHONY
This just makes it nicer to do "make release" if you have to do builds
for more than one release.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-28 16:40:30 +11:00
Tibor Vass 10a4cde4b9 Fix make shell
The "shell" rule in the Makefile uses docker to run a bash session,
however it was depending on the "all" rule which assumes non-docker local
development. This commit fixes it by making it depend on the "runcimage" rule.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-02-28 05:23:03 +00:00
Akihiro Suda dd5eb3b9e3 make: validate C format
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-01-24 10:49:50 +09:00
Yong Tang ec42eaa427 Add `-installsuffix netgo` in static build
This fix adds `-installsuffix netgo` in static build in combination
of `-tags netgo`. See following for the reason:
https://github.com/golang/go/issues/9369#issuecomment-69864440

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-09-11 18:20:19 +00:00
Yong Tang 337c3fb88c Use `netgo` for static build
This fix adds `netgo` to tags for static build so that
the following warning could be addressed:
```
/tmp/go-link-355596637/000000.o: In function `_cgo_b0c710f30cfd_C2func_getaddrinfo':
/tmp/go-build/net/_obj/cgo-gcc-prolog:46: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
```

The above warning appears when building `make static` with
go 1.9.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-09-11 18:20:19 +00:00
Aleksa Sarai d0aec23c7e
tests: generalise rootless runner
This is necessary in order to add proper opportunistic tests, and is a
placeholder until we add tests for new{uid,gid}map configurations.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-09-09 12:45:33 +10:00
Aleksa Sarai c24f602407
ci: smoke-test the release script
To make sure that `make release` doesn't suddenly break after we've cut
a release, smoke-test the release scripts. The script won't fail if GPG
keys aren't found, so running in CI shouldn't be a huge issue.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-16 14:44:45 +10:00
Aleksa Sarai ed68ee1e10
release: import umoci's release.sh script
This script is far easier to use than the previous `make release`
target, not to mention that it also automatically signs all of the
artefacts and makes everything really easy to do for maintainers.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-16 14:35:52 +10:00
Aleksa Sarai b45e243f8b
*: enable -buildmode=pie
Go has supported PIC builds for a while now, and given the security
benefits of using PIC binaries we should really enable them. There also
appears to be some indication that non-PIC builds have been interacting
oddly on ppc64le (the linker cannot load some shared libraries), and
using PIC builds appears to solve this problem.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-15 00:12:27 +10:00
Aleksa Sarai 6581d0f488
makefile: drop usage of --install
The "go build -i" invocation may slightly help with incremental
recompilation, but it will cause builds to fail if $GOROOT is not
writeable by the current user. While this does appear to work sometimes,
it's a concern for external build systems where "-i" causes build errors
for no real gain.

Given the size of the runc project, --install is not really giving us
much anyway.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-08-14 00:10:32 +10:00
Michael Crosby 5930d5b427 Remove shfmt
We don't have that many scripts and for the amount of errors this is
causing on a weekly basis for contributors its not worth the overhead.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-07-06 11:08:44 -07:00
Justin Cormack 7e3934a339 Allow specification of general Go build flags and ldflags
This is needed if you need to customise the build config for a given platform.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-05-19 11:24:03 +01:00
Michael Crosby 4c3584145f Revert back to using /sbin
This was changed in
https://github.com/opencontainers/runc/commit/d2f49696#diff-b67911656ef5d18c4ae36cb6741b7965R7
and is causing install problems for people building runc and having it
installed in /bin and /sbin.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-04-14 10:15:33 -07:00
Aleksa Sarai ba38383a39
tests: add rootless integration tests
This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. This includes quite a
few changes, because of a lot of assumptions about things running as
root within the bats scripts (which is not true when setting up rootless
containers).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:46:22 +11:00
Aleksa Sarai d2f49696b0
runc: add support for rootless containers
This enables the support for the rootless container mode. There are many
restrictions on what rootless containers can do, so many different runC
commands have been disabled:

* runc checkpoint
* runc events
* runc pause
* runc ps
* runc restore
* runc resume
* runc update

The following commands work:

* runc create
* runc delete
* runc exec
* runc kill
* runc list
* runc run
* runc spec
* runc state

In addition, any specification options that imply joining cgroups have
also been disabled. This is due to support for unprivileged subtree
management not being available from Linux upstream.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:45:24 +11:00
Mrunal Patel 4f903a21c4 Remove ambient build tag
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-15 11:38:43 -07:00
Alexander Morozov 993cbf9db0
move from Godeps to vndr
This uses the standard go vendor location instead of old Godeps
location.

Also remove usage of symlink GOPATH. Since our README mentions that you
should build it inside GOPATH, i think its a reasonable to assume that
you dont need to create a tmp GOPATH.

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2017-02-24 11:25:21 +00:00
Michael Crosby 54a4439700 Merge pull request #1252 from FengtuWang/remove-i
remove `-i` option to avoid failure of jenkins in non-interactive mode.
2017-01-09 10:51:13 -08:00
Fengtu Wang b5d4da872c remove `-i` option to avoid failure of jenkins in non-interactive mode.
Signed-off-by: Fengtu Wang <wangfengtu@huawei.com>
2017-01-04 16:33:05 +08:00
Ma Shimiao 9befe82cde Makefile: add manpage cleanup
I think generated manpages should also need cleanup

Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2016-12-16 14:33:05 +08:00
Mrunal Patel 34f23cb99c Merge pull request #1018 from cyphar/console-rewrite
Consoles, consoles, consoles.
2016-12-07 14:37:19 -08:00
Aleksa Sarai 972c176ae4
tests: fix all the things
This fixes all of the tests that were broken as part of the console
rewrite. This includes fixing the integration tests that used TTY
handling inside libcontainer, as well as the bats integration tests that
needed to be rewritten to use recvtty (as they rely on detached
containers that are running).

This patch is part of the console rewrite patchset.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-12-01 15:49:37 +11:00
Aleksa Sarai 1543444ada
contrib: add recvtty proof-of-concept
This is a proof-of-concept for the --console-socket API. It just acts as
a dumb input-output copy process (nowhere near as good as the internal
runC one since it doesn't handle console resizes or signals). It also
provides a test-friendly mode that will be used in the bats integration
tests.

This patch is part of the console rewrite patchset.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-12-01 15:49:36 +11:00
Wang Long 21bc1a6e00 delete unused variable
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-11-30 20:35:46 +08:00
Daniel Martí b9d13467b9 Add shfmt to the validate make target
We need to run on a directory since shell files might have no extension.
There are few shell files, so speed should not be an issue.

Fixes #1166.
2016-11-17 13:55:59 +00:00
Michael Crosby 603c151e6c Move ambient capabilties behind build tag
This moves the ambient capability support behind an `ambient` build tag
so that it is only compiled upon request.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-11-02 10:59:59 -07:00
Shukui Yang 4853f3b628 Bug fix for make dbuild
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-26 12:04:50 +08:00
Mrunal Patel f516b5d082 Merge pull request #1022 from hqhq/add_privileged_for_dbuild
Add privileged to make dbuild
2016-09-13 10:07:10 -07:00
Shukui Yang 8b151933ed Fix make release error:
/bin/sh: 1: Syntax error: "(" unexpected
make: *** [release] Error 2
-SHELL ?= $(shell command -v bash 2>/dev/null)
+SHELL := $(shell command -v bash 2>/dev/null)

Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-12 18:52:24 +08:00
Aleksa Sarai 37f1747aec
Merge branch 'pr-914'
Closes #914
2016-09-10 17:24:16 +10:00
Mrunal Patel c6b3e79d30 Merge pull request #1017 from WeiZhang555/version-dirty
Append string "-dirty" to version if git repo is unclean
2016-09-07 12:24:19 -07:00
Qiang Huang aeba315e44 Add privileged to make dbuild
So we don't get `mount: permission denied` when make dbuild.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-06 14:53:46 +08:00
Zhao Lei 54390f89a7 Introduce make release
So we can make all types of release binary with combination
of following flags:
 seccomp
 selinux
 apparmor
 static

All binary files are put in release/ dir, like:
 [root@zlosvm1 runc]# ls -l release
 total 53556
 -rwxr-xr-x 1 root root 9517965 Aug 24 16:59 runc
 -rwxr-xr-x 1 root root 9673533 Aug 24 17:00 runc.seccomp
 -rwxr-xr-x 1 root root 9705839 Aug 24 17:00 runc.seccomp.selinux
 -rwxr-xr-x 1 root root 9546175 Aug 24 16:59 runc.selinux
 -rwxr-xr-x 1 root root 8205015 Aug 24 16:59 runc.selinux.static
 -rwxr-xr-x 1 root root 8181789 Aug 24 16:59 runc.static
 ...
Closes #899

Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
2016-09-06 11:22:34 +08:00
Jiuyue Ma 4bc8637393 Makefile: Fix wrong dependency of "integration" target
Change dependency of integration to runcimage.

Signed-off-by: Jiuyue Ma <majiuyue@huawei.com>
2016-09-06 08:38:32 +08:00